#!/usr/bin/env bash

cd $(dirname $0)/..

SCAN_OUTPUT="trivy_scan_report.txt"
rm "$SCAN_OUTPUT"

# Download the Rancher OpenVEX Trivy report
curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json

for IMAGE in $(cat build/images*.txt); do
    echo "Scanning image: $IMAGE"
    
    # Run Trivy scan and append the report to the output file
    trivy image "${IMAGE}" -q --no-progress \
      --severity ${SEVERITIES:-CRITICAL,HIGH} \
      --ignore-unfixed --show-suppressed \
      --vex rancher.openvex.json >> "$SCAN_OUTPUT"
    
    if [ "$1" = "dump-report" ]; then
      trivy image "${IMAGE}" -q --no-progress \
      --severity ${SEVERITIES:-CRITICAL,HIGH} \
      --ignore-unfixed \
      -f json \
      --exit-code 1 \
      --vex rancher.openvex.json > "temp.json"
      RC=$?
      if [ ${RC} -gt 0 ]; then
        echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
        jq -rc '.Results[].Vulnerabilities | select( . != null ) | .[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' "temp.json" | sort
        echo
      fi
    fi
done

rm rancher.openvex.json
[ "$1" = "dump-report" ] && rm temp.json
echo "Trivy scan completed. Reports are saved in $SCAN_OUTPUT."